Crypto-Gram
June 15, 2026

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************
In this issue:

If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

Bypassing On-Camera Age-Verification Checks
Zero-Day Exploit Against Windows BitLocker
Laurie Anderson Is Quoting Me
On AI Security
macOS Kernel Memory Corruption Exploit
CISA Security Leak
Identifying People Using Wi-Fi Routers
FBI's 2025 Internet Crime Report
Chilling Effects
Vulnerability Disclosure in the Age of AI
Microsoft Threatening Security Researcher
The Intersection of Encryption and AI
AI Used to Decrypt Medieval Ciphers
Hacking Meta's AI Chatbot
AI Worm
Anthropic's Project Glasswing Update
Critical Zcash Vulnerability Found and Fixed
GPS As a Key Distribution Platform
NSO Group Hacking WhatsApp Despite Court Order
Enhanced License Plate Tracking
Bernie Sanders' AI Sovereign Wealth Fund Plan
Upcoming Speaking Engagements

** *** ***** ******* *********** *************
Bypassing On-Camera Age-Verification Checks

[2026.05.15] Some AI-based video age-verification checks can be fooled with a fake mustache.

** *** ***** ******* *********** *************
Zero-Day Exploit Against Windows BitLocker

[2026.05.18] It's nasty, but it requires physical access to the computer:

The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM). BitLocker is a mandatory protection for many organizations, including those that contract with governments.

Slashdot thread. And here's Nightmare-Eclipse's GitHub account.

** *** ***** ******* *********** *************
Laurie Anderson Is Quoting Me

[2026.05.19] Not by name, but Laurie Anderson quotes me in one of the tracks of her new album:

My favorite quote is from a cryptologist who said "If you think technology will solve your problems, you don't understand technology and you don't understand your problems."

Also in interviews:

"Of course, it's ridiculous, outrageous, blah, blah, blah," Anderson says about the ad. 'But, I mean, my favorite quote on this is from a cryptologist who said, 'If you think technology will solve your problems, you don't understand technology A and you don't understand your problems.' And I think I'm completely on board with that."

People are telling me that she has been reciting this quote in performances for years. (I lost track of her since college and her 1981 hit "O Superman.")

The origins of the quote is from Roger Needham:

If you think cryptography can solve your problem, you don't understand your problem and you don't understand cryptography.

I modified the quote in the preface to my 2000 book Secrets and Lies:

A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

I can't tell you why me in 2000 didn't credit Needham by name. I should have.

I have used the quote pretty consistently since then. Somewhere along the line I dropped "security" from the phrase, and now say it more like Anderson quotes me:

If you think technology will solve your problem, you don't understand your problem and you don't understand technology.

I sometimes use singular and sometimes use plural. Sometimes I say "the problem" and "the technology." But I think the quote flows better ending with just the word "technology."

EDITED TO ADD (5/12): It gets weirder. A friend sent me some 1997 emails that talk about this. Roger Needham wrote: "Butler Lampson and I each attribute to the other the remark." I wrote: "Roger Needham claims that Robert Morris said it. Robert Morris claims that Roger Needham said it. No one knows who the originator is." I said it from stage at Defcon that year -- definitely not the originator.

** *** ***** ******* *********** *************
On AI Security

[2026.05.20] Good report:

Executive Summary: Let's say you wanted to make sure that your AI is secure. Can you just maximize the security and privacy benchmark and call it a day? Nope, because benchmarks don't actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security). So let's take a step back: how do you measure security in the first place? Good question. Over the last 30 years, security engineering for software evolved from black box penetration testing, through whitebox code analysis and architectural risk analysis to de facto process-driven standards like the Building Security In Maturity Model (BSIMM). Software had a very deep impact on business operations, and it appears that AI is going to have an even deeper impact. Will a software security-like measurement move work for AI? Probably. In the meantime we can make real progress in AI security by cleaning up our WHAT piles and managing risk by identifying and applying good assurance processes. (Spoiler alert: no matter what we do, we still don't get a security meter for AI, so we need to be extra vigilant about security.)

** *** ***** ******* *********** *************
macOS Kernel Memory Corruption Exploit

[2026.05.21] A group used Anthropic's Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple's M5.

News article.

** *** ***** ******* *********** *************
CISA Security Leak

[2026.05.22] Crazy story:

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

News article.

** *** ***** ******* *********** *************
Identifying People Using Wi-Fi Routers

[2026.05.26] Not identifying people based on their use of Wi-Fi routers, but identifying people using Wi-Fi signals.

This is accomplished through what is known as WiFi sensing, or the use of WiFi signals to infer information about a physical environment. When radio signals like WiFi travel through a space, they interact with
--- FMail-lnx 2.3.4.1-B20260522
* Origin: TCOB1 A Mail Only System (21:1/229)